Previous by Date Index by Date
Threaded Index
Next by Date

Previous by Thread Next by Thread

RE: Secure networks


In response to Ann's message:

> -----Original Message-----
> From: Ann Okerson []
> We have in hand a license from an important journal publisher, for
> this publisher's electronic versions.  It's pretty good.  But therein
> is a definition that reads:
> 	"Secure" with regard to the server or Network from which access 
> 	to Authorized Users is to be given means:  only a server or
> 	Network or Networks over which the Institution has absolute
> 	control and can prevent the further distribution of material.
> This definition is later used in important clauses pertaining to use and
> so on.  My question:  This seems to me an unusually high standard
> ("absolute control") which in turn makes ultra-high expectations of
> licensing institutions -- ones that we cannot commit to.   So, two
> questions:
> 1.  Are we reading this correctly, or is there some other interpretation?
> 2.  Are there, in fact, such secure servers/networks in academiia, ones
> over which the instituions do have absolute control?  How does one create
> such a highly secure environment? 

Both of your questions essentially are the same --- what does the
publisher mean by 'absolute control?' Perhaps the real question is, what
is their intent? Are they demanding that the licensee provide absolute
_access_control_ to ensure that the materials may only be _accessed_ by
the license group, or are they demanding that the licensee provide a
network that ensures that the material won't leave the network --- that
copies can't be distributed outside the network. This is very closely
related to the first, but not equivalent.

If it is absolute _access_control_ that they really demand, then it
would seem that the licensee is obligated to provide a level of access
security that ensures that only users in the license group can get at
it. This may just be the institutional community. The library server
would need to authenticate institutional users and/or client nodes that
are within the institution's domain(s). This is fairly common for
corporate intranets. How difficult it is depends on the intranet
configuration and the servers used. And the management effort is more
difficult if the authorized users form a subset of the total community
--- then the access control list would need to be tailored to that
license group.

Distribution control is probably easier to ensure, since most
institutional servers have layers that prevent even intra-institutional
access to the sources (as opposed to internal Web access). These help
the material from propogating internally. A few institutions and many
corporations then wrap a firewall around these layers. 

The most difficult problem is preventing authorized users from
distributing the material. To ensure 'absolute control' you shouldn't
let even authorized users get at the source directories (i.e. 'under the
hood'). Current browsers allow users to 'snarf' material; document
structures often make this tedious. Their efforts would clearly be
expedited if they could grab whole directories!

I hope this helps!


| John Erickson, Ph.D.   VP-Rights Technologies
| Yankee Rights Management
| 999 Maple Street              802-649-1847(V)
| Contoocook, NH 03229          802-649-2193(F)
© 1996, 1997 Yale University Library
Please read our Disclaimer
E-mail us with feedback